Device fraud indicator detection and reporting

ABSTRACT

Various embodiments herein each include at least one of systems, devices and methods for detection of abnormal operation of a Self-Service Terminal (SST). One such embodiment, in the form of a method performed by a SST or remote system, includes receiving information relating to the operation of a SST. The method further includes evaluating the information to identify abnormal operation of the SST.

BACKGROUND INFORMATION

Increasingly consumers are conducting financial transactions throughSelf-Service Terminals (SSTs) without the assistance of a teller orclerk. In fact, in many cases these transactions are conducted withoutany individual, other than a consumer, in the vicinity of the SSTs. Insome cases, a security camera may be integrated into the SSTs or inproximity to the SSTs.

Common Self-Service Terminals include Automated Teller Machines (ATMs)and self-checkout terminals. Most SSTs are connected through a networkto a remote system, which allows exchange of bank account or credit cardinformation. An SST typically employs electronic and physical securitymeasures to protect currency stored therein and transaction servicesperformed thereon.

When a SST is manipulated to conduct unauthorized activity, themanipulation may not be detected until long after the act is complete.Security camera recordings may be reviewed for evidence of tampering andpolice may be involved to apprehend perpetrators, if they can beidentified.

SUMMARY

Various embodiments herein each include at least one of systems,methods, and software for detection of abnormal operation of aSelf-Service Terminal (SST).

One such embodiment, in the form of a method performed by a SST orremote system, includes receiving information relating to the operationof a SST. In various examples, the information includes operationalparameters such as system reboots, initiation of new services, removalof a hard disk, detection of a new hard disk, memory usage greater thana known threshold, change in memory footprint, logging behavior, eventswithin a transaction, usage of a prepaid card, or supervisor access. Themethod further includes evaluating the information to identify abnormaloperation of the SST, such as evaluating two or more pieces ofinformation in combination, identifying a sequence of events, or absenceof events from a sequence, that indicate a departure from normaloperation, or a combination thereof.

Another method embodiment includes detecting abnormal activity relatingto a Self-Service Terminal (SST) by receiving data relating to at leasttwo operational parameters of the SST and evaluating the data toidentify an activity pattern. The method declares an alert when anidentified activity pattern deviates from an expected set of operationalstates

A further embodiment is in the form of a Self-Service Terminal (SST).The SST includes a memory and a processor executing instructions tomonitor for abnormal activity on the SST. The processor evaluatesactivity of at least two operational parameters of the SST incombination. When abnormal activity is detected, the processors executea responsive action.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a logical block diagram of a system, according to an exampleembodiment.

FIG. 2 is a block flow diagram of a method, according to an example,embodiment.

FIG. 3 is a block flow diagram of a method, according to an example,embodiment.

FIG. 4 is a block diagram of a computing device, according to an exampleembodiment.

DETAILED DESCRIPTION

Various embodiments herein each include at least one of systems,methods, and devices for identification of abnormal operation of aSelf-Service Terminal (SST), such as an Automated Teller Machine (ATM).Such embodiments support the prevention or interruption of a fraudperpetrated using a SST, as opposed to mere post-fraud informationgathering. As used herein, fraud refers to execution of a transactionthrough improper activity, e.g. by circumventing or imitating stepsrequired to purchase or receive something of value without trueauthorization. This may be conducted, for example, through falseidentification, intrusions through electronic, physical, or softwaretechniques (“hacks”), violating physical or electronic securitymeasures. Prevention or interruption of fraud both preserves assets thatmight otherwise be lost to fraud and discourages perpetrators who arethwarted in their efforts to obtain money, objects, or services, orother items of value through fraud.

In some embodiments, a SST, remote system, or combination thereofactively monitor for indications that fraudulent, or potentiallyfraudulent, activity is underway. In some embodiments, a SST functionsalone to monitor for fraud, i.e. the method is performed locally by theSST. In other embodiments, the SST sends information to a remote deviceor system that analyzes the information to determine whether thebehavior is potentially fraudulent.

In some embodiments, a fraud detection is performed by both a SST and aremote system. The SST and remote system may work serially, or inparallel, or otherwise collaborate. In an example, a SST performs afirst tier of evaluation and, when certain conditions are met, e.g. apotential fraud is detected the remote system performs a second tier ofevaluation to further investigate whether a fraud is underway. Theremote system may, for example perform more in-depth analysis ofinformation processed by the SST, or may consider additional informationobtained from the SST or elsewhere.

In some example embodiments, a SST evaluates activity and, when markersof potential-fraud are identified, triggers passage of information to aremote system for additional evaluation. The SST may also, on its own orat the command of a remote fraud detection system or human user, entersan alternate mode of operation, such as enhanced surveillance,interactive session, lock-down, or alert.

In some embodiments, actively monitoring for indicators of potentiallyfraudulent activity allows for recognition of a fraud (or potentialfraud) while the fraud is underway. In some embodiments, a systemmonitors for two or more events that, when taken alone, may be benign,but, when evaluated in combination, provide an indication that operationof the SST has deviated from normal expectations, suggesting that apotential fraud is in progress.

In some example embodiments, a potential fraud is identified from apattern of activity. In some embodiments, a SST or remote frauddetection system monitor for a sequence of events that suggest apotential fraud. For example, some embodiments monitor for more than onereset or system reboot in a period of time, in combination with one ormore other operational parameters. In an example, a potential fraud isidentified when two reboots or resets of the SST (or a system in orcoupled to the SST) occur in ten minutes. In an example, an embodimentdevelops a level of confidence that a fraud is in progress based upondetected activity. For example, when two or more resets in a period oftime (e.g. 10 minutes) are followed by supervisor access, the confidencethat a fraud is in progress is greater. And when further followed byremoval of a USB camera and subsequent supervisor access within aminute, that confidence is greater still. And when a system detect ofsome or all of the foregoing pattern multiple resets in a relativelyshort period, e.g. 10 minutes, followed by supervisor access, isfollowed by removal of a US camera and supervisor access, the systemdevelops strong confidence that a fraud may be underway. In someembodiments, when a potential fraud is detected, a fraud detectionsystem triggers a heightened state of alert, communicates an alert,initiates action to interrupt the fraud, or some combination thereof.

In an example, the SST monitors for a pattern of activity that suggestsa fraud is in progress. For example, the SST may monitor for removal ofa USB media device, followed by supervisor access, in combination withuse of a pre-paid card in a previous transaction or subsequenttransaction.

Some embodiments monitor for untypical system behavior, for examplebased upon application, operating system, or other software or hardwarestate information. For example, some example embodiments monitor forincreased memory footprint when no transactions have occurred in aspecified period of time (e.g. 30 minutes) and no software download istaking place.

Some embodiments, on detection of potential fraud, initiate a shutdownof the SST, take a photograph or video footage, send an alert to lawenforcement, or a combination thereof.

In an example, a remote fraud detection system receives information froma SST and analyzes the information to detect instances of potentialfraud, which it communicates to a SST monitoring system, the ATM, orboth. In an example embodiment, the SST communicates with an APTRA^(tm)Vision system, available from NCR Corporation. In some examples, APTRAVision facilitates human intervention or interaction with a SST, orcooperates with a system that does so. In example embodiments, APTRAVision communicates with a Fractals™ fraud detection system (availablefrom NCR Corporation), which monitors SST activity or transactions. Insome examples, the Fractals system communicates directly with a SSTregarding transactions or detected activity.

In the following detailed description, reference is made to theaccompanying drawings that form a part hereof, and in which is shown byway of illustration specific embodiments in which the inventive subjectmatter may be practiced. These embodiments are described in sufficientdetail to enable those skilled in the art to practice them, and it is tobe understood that other embodiments may be utilized and thatstructural, logical, and electrical changes may be made withoutdeparting from the scope of the inventive subject matter. Suchembodiments of the inventive subject matter may be referred to,individually and/or collectively, herein by the term “invention” merelyfor convenience and without intending to voluntarily limit the scope ofthis application to any single invention or inventive concept if morethan one is in fact disclosed.

The following description is, therefore, not to be taken in a limitedsense, and the scope of the inventive subject matter is defined by theappended claims.

The functions or algorithms described herein are implemented inhardware, software or a combination of software and hardware in oneembodiment. The software comprises computer executable instructionsstored on computer readable media such as memory or other type ofstorage devices. Further, described functions may correspond to modules,which may be software, hardware, firmware, or any combination thereof.Multiple functions are performed in one or more modules as desired, andthe embodiments described are merely examples. The software is executedon a digital signal processor, ASIC, microprocessor, or other type ofprocessor operating on a system, such as a personal computer, server, arouter, or other device capable of processing data including networkinterconnection devices.

Some embodiments implement the functions in two or more specificinterconnected hardware modules or devices with related control and datasignals communicated between and through the modules, or as portions ofan application-specific integrated circuit. Thus, the exemplary processflow is applicable to software, firmware, and hardware implementations.

FIG. 1 is a logical block diagram of a system 100, according to anexample embodiment. The system includes a self-service terminal (SST)102. The SST 102 is a terminal through which customers can interact andconduct transactions. In some embodiments, the SST 102 may be aself-service checkout terminal. In other embodiments, the SST 102 may bean ATM. In further embodiments, the SST 112 may be a gaming machine orother machine on which one or both of secure customer interactions andtransaction may be conducted.

The SST 102 is communicatively coupled to a wired or wireless networkthrough which it can communicate to a SST management system running onat least one server 104. The server 104 is typically connected to anetwork, such as the Internet, that allows processes that execute on theservers 104 to communicate with various SSTs, computers, or mobiledevices. The server 104 may also be connected to a secure network, whichmay be dedicated at least in part to communicating with SSTs 102, suchas an ATM network. The secure network 110 may rely on secure networkingprotocols that allow secure data to be carried on other networks, suchas the Internet. However, in some embodiments, the secure network 110may be, at least in part, a physically secured network.

The server 104 is in communication with a fraud detection system 106. Inexample embodiments, the SST management system is also in communicationwith a SST monitoring system 108, a payment network 110, e.g. creditcard service providers, and a banking system 112, with which financialtransactions are processed.

In an example, the SST management system 104 is APTRA™ Vision, availablefrom NCR™. In an example, the fraud detection system is the Fractals™system, available from NCR. The server 104 receives information aboutoperational parameters of the SST 102 from the SST 102 and provides atleast some of the information to the fraud detection system 106. Thefraud detection system 106 monitors the information from the SST 102 forindicators of potential fraud. In an example, the monitoring by thefraud detection includes analyzing operational state information fordeviation from expected norms, checking for an expected series of eventspreceding a financial transaction, or monitoring reported activity forpatterns indicative of fraud.

In an example embodiment, the fraud detection system 106 communicates tothe server 104 when a potential fraud is detected. In exampleembodiments, the server communicates to the SST 102 to initiateresponsive action. In some examples, the responsive action includescollection or transfer of additional information (e.g. collect moreoperational data, take camera snapshots, or capture video footage), amode change (e.g. switching to interactive mode with a remote user),suspend (or later authorize) a transaction, or shut down or block localcommunication with the SST.

In some examples, the fraud detection system 106 communicates directlywith the SST 102. For example, the fraud detection system 106 mayrequest more information, change mode, suspend a transaction, authorizea previously-suspended transaction, or shut down or block communicationwith the SST. In some examples, the fraud detection system communicateswith both the server 104 and SST 102 to execute fraud detection methodsor communicate or authorize transactions.

A monitoring system 108 may be in communication with the server. In anexample, the monitoring system is a component or extension of a SSTmonitoring system running on a server 102, such as a portal running on adesktop or laptop computer, tablet, phone, or other device. In anexample, the monitoring system 108 presents a human-viewable dashboardof activity at a SST 102, or a group of SSTs. In an example embodiment,a potential fraud alert is presented on the dashboard. In an exampleembodiment, an interactive session is accessible on the monitoringsystem 108 to facilitate an interactive mode with a SST 102.

FIG. 2 is a block flow diagram of an example method 200 executable onexample systems and devices. The method includes receiving 202information relating to the operation of a SST.

The information is evaluated 204 to identify potentially fraudulentactivity. In some example methods, a fraud detection system monitors forindicators of potentially-fraudulent activity, such as two reboots orresets within a specified period of time, especially without acorresponding authorization (e.g. field service ticket) or inconjunction with the initiation of a new service. In some examples, theevaluating 204 includes identifying a sequence of events, or absence ofevents from a sequence, that indicate a departure from expected (normal)operation. In some example embodiments, the method 200 includesreceiving at least two qualitatively distinct pieces of informationrelating to the operation of the SST, and evaluating 204 the at leasttwo qualitatively distinct pieces of information in combination. Themethod 200 may also include identifying two or more changes occurringwithin a specified timeframe. In some example embodiments, the methodincludes monitoring for changes of two or more of the following within aspecified timeframe or under specified conditions: system reboot;initiation of new services; removal of a hard disk; detection of a newhard disk; memory usage greater than a known threshold; memoryfootprint; logging behavior; specified events within a transaction;usage of a prepaid card; supervisor access.

In some examples, the method 200 also includes one or more of additionalsteps 206, 208, 210, 2012, 214, 216 in series or parallel. At 206, themethod 200 transfers information relating to the operation of a SST to aremote system for further analysis or review. While in some examples themethod 200 may be executed locally on a SST, in other examples themethod is executed solely on a remote fraud detection system, or jointlywith cooperation between a SST and remote fraud detection system.Involvement of a remote fraud detection system allows for execution ofmore rigorous fraud detection algorithms and integration of informationfrom a SST with other information, e.g. a knowledge database of priorfraudulent activity, or recent activity at other SSTs, especially if theSSTs are in near geographic proximity, suggesting a local pattern ofpotential fraud.

At 208 the method evaluates additional information relating to theoperation of the SST. In some examples, evaluation of operationalinformation by the SST triggers more in-depth analysis using additionalinformation, which may come from the SST or elsewhere (e.g. other SSTsor obtained from the server. For example, the local or remote frauddetection system notices something that moves the system into aheightened detection state, where the fraud detection system evaluatesmore information, evaluates more frequently, or performs more in-depthanalysis. In some examples, the method identifies activity as apotential fraud and the system gathers additional information to furtherinvestigate whether fraud is occurring to increase the confidence levelbefore taking more disruptive action (e.g. initiating an interactivemode or shutting down the SST.)

At 210, the method 200 triggers capture of additional informationrelating to the operation of the SST. In an example, logging isincreased, or operational state information is captured and relayed tothe fraud detection system. In some examples, camera, audio, or videoinformation is captured.

At 212, the method 200 shuts down or blocks access to the SST. If afraud or potential fraud is identified, the fraud may be stopped bydisrupting operation of the SST. For example, electronic or physicalaccess to the SST may be blocked by locking the system, or the systemmay be shut down completely, or certain functions (e.g. dispensing anitem such as cash) may be blocked.

At 214, the method 200 initiates an interactive mode. In an example, aSST user communicates with a person in a remote location using a textchat system, audio system, or video system.

At 216, the method 200 changes the behavior of other SSTs in a specificgeographic region around the SST. In an example, when a pattern ofpotential fraud is detected at a SST, fraud detection at other SSTs ismodified to account for the identified pattern. In an example, when apattern of potential fraud is detected at a SST, additional datacollection, such as video streaming or capture, is initiated at otherSSTs. This may enable, for example, detection of fraud at other SSTs oridentification of a fraud perpetrator who attacks multiple systems.

These various actions may occur in combination, e.g. additionalinformation may be evaluated 208, leading to capture of additionalinformation 210 and transfer of information to a remote system 206,which may lead to initiation of interactive mode 214 or system shut-down212. Other combinations are possible.

At 218, the method 200 includes taking action to interruptpotentially-unauthorized activity. In an example, the method 200includes triggering an alert at the SST, which may include notificationof police or other authorities, biometric capture (e.g. photograph,audio, video, fingerprint, facial recognition, etc.), creating a visualor audio disturbance (e.g. flashing lights or sounds), shutting down orblocking access to the SST.

FIG. 3 is a block flow diagram of an example method 300 executable onexample systems and devices. The method includes capturing 302 datarelating to at least two operational parameters of the SST. When themethod is executed partially or completely on one more remote systems,data is transferred 304 from the SST to the remote system. In someexamples, the method is performed on a SST, so the transfer occurslocally between components installed at a SST, or the transfer 304 isomitted and the subsequent steps occur within the SST system thatcaptured the data. In some examples, information is collected locallyand sent to a remote fraud detection system for analysis. In anotherexample, the SST runs local fraud detection system and, if potentiallyfraudulent activity is detected, the local fraud detection system sendsinformation for further analysis by a remote fraud detection system,which may perform more in depth analysis, request additional informationfrom the SST, or trigger an alert.

The method 300 further includes evaluating 306 the data to identify anactivity pattern. In an example, the method includes checking for aseries of expected events leading up to an event, such as the dispensingof an item (e.g. cash, valuables, stamps, gift cards, services, or aprinted bar code that can be exchanged for goods or services.) Themethod may include, for example, checking for the presence of a log, orthe contents of the log. The method may also include evaluating changesin state, memory usage, and hardware configuration. In some examples,the method monitors for a pattern of activity of events or states thatin insolation may seem benign, but in combination indicate fraud, orpotential fraud. For example, the method may evaluate a combinationsystem reboot; initiation of new services; removal of a hard disk;detection of a new hard disk; memory usage greater than a knownthreshold; memory footprint; logging behavior; events within atransaction; usage of a prepaid card; and supervisor access.

The method further includes 300 triggering 308 an alert. In an example,declaring the alert 308 sends a notification to a management system. Inanother example, declaring the alert 308 triggers collection or analysisof additional information or transfer of information to a remote frauddetection system. In another example, declaring the alert 308 notifiesauthorities (e.g. police or security personnel) that apotentially-fraudulent event is in progress. In another example,declaring the alert 308 changes the behavior of the SST, or other SSTsin geographic proximity to the SST.

FIG. 4 is a block diagram of a computing device, according to an exampleembodiment. In one embodiment, multiple such computer systems areutilized in a distributed network to implement multiple components in atransaction-based environment. An object-oriented, service-oriented, orother architecture may be used to implement such functions andcommunicate between the multiple systems and components. One examplecomputing device in the form of a computer 410, may include a processingunit 402, memory 404, removable storage 412, and non-removable storage414. Although the example computing device is illustrated and describedas computer 410, the computing device may be in different forms indifferent embodiments. For example, the computing device may instead bea smartphone, a tablet, smartwatch, or other computing device includingthe same or similar elements as illustrated and described with regard toFIG. 4. Devices such as smartphones, tablets, and smartwatches aregenerally collectively referred to as mobile devices. Further, althoughthe various data storage elements are illustrated as part of thecomputer 410, the storage may also or alternatively include cloud-basedstorage accessible via a network, such as the Internet.

Returning to the computer 410, memory 404 may include volatile memory406 and non-volatile memory 408. Computer 410 may include—or have accessto a computing environment that includes a variety of computer-readablemedia, such as volatile memory 406 and non-volatile memory 408,removable storage 412 and non-removable storage 414. Computer storageincludes random access memory (RAM), read only memory (ROM), erasableprogrammable read-only memory (EPROM) and electrically erasableprogrammable read-only memory (EEPROM), flash memory or other memorytechnologies, compact disc read-only memory (CD ROM), Digital VersatileDisks (DVD) or other optical disk storage, magnetic cassettes, magnetictape, magnetic disk storage or other magnetic storage devices, or anyother medium capable of storing computer-readable instructions.

Computer 410 may include or have access to a computing environment thatincludes input 416, output 418, and a communication connection 420. Theinput 416 may include one or more of a touchscreen, touchpad, mouse,keyboard, camera, one or more device-specific buttons, one or moresensors integrated within or coupled via wired or wireless dataconnections to the computer 410, and other input devices. The computer410 may operate in a networked environment using a communicationconnection 420 to connect to one or more remote computers, such asdatabase servers, web servers, and other computing device. An exampleremote computer may include a personal computer (PC), server, router,network PC, a peer device or other common network node, or the like. Thecommunication connection 420 may be a network interface device such asone or both of an Ethernet card and a wireless card or circuit that maybe connected to a network. The network may include one or more of aLocal Area Network (LAN), a Wide Area Network (WAN), the Internet, andother networks. In some embodiments, the communication connection 420may also or alternatively include a transceiver device, such as aBLUETOOTH® device that enables the computer 410 to wirelessly receivedata from and transmit data to other BLUETOOTH® devices. Computer 410also typically includes an out-of-band controller 422.

Computer-readable instructions stored on a computer-readable medium areexecutable by the processing unit 402 of the computer 410. A hard drive(magnetic disk or solid state), CD-ROM, and RAM are some examples ofarticles including a non-transitory computer-readable medium. Forexample, various computer programs 425 or apps, such as one or moreapplications and modules implementing one or more of the methodsillustrated and described herein or an app or application that executeson a mobile device or is accessible via a web browser, may be stored ona non-transitory computer-readable medium.

It will be readily understood to those skilled in the art that variousother changes in the details, material, and arrangements of the partsand method stages which have been described and illustrated in order toexplain the nature of the inventive subject matter may be made withoutdeparting from the principles and scope of the inventive subject matteras expressed in the claims.

What is claimed is:
 1. A method of identifying abnormal operation of aSelf-Service Terminal (SST), comprising: receiving information relatingto the operation of a SST; and evaluating the information to identifyabnormal operation of the SST.
 2. The method of claim 1, whereinevaluating the information to identify abnormal operation of the SSTcomprises identifying a sequence of events, or absence of events from asequence, that indicate a departure from normal operation.
 3. The methodof claim 1, wherein receiving information relating to the operation of aSST comprises receiving at least two qualitatively distinct pieces ofinformation relating to the operation of the SST, and evaluating theinformation to identify abnormal operation of the SST comprisesevaluating the at least two qualitatively distinct pieces of informationin combination.
 4. The method of claim 3, wherein evaluating the atleast two qualitatively distinct pieces of information comprisesevaluating at least two of: system reboot; initiation of new services;removal of a hard disk detection of a new hard disk; memory usagegreater than a known threshold; memory footprint; logging behavior;events within a transaction; usage of a prepaid card; and supervisoraccess.
 5. The method of claim 1, wherein evaluating the information toidentify abnormal operation of the SST comprises monitoring for anincrease in memory footprint when no transactions have occurred in aspecified period of time and no software download is taking place. 6.The method of claim 1, further comprising sending information relatingto the operation of a SST to a remote system for further analysis orreview, and receiving a command from the remote system to initiatepreventative action to interrupt potentially-unauthorized activity. 7.The method of claim 1, further comprising, when abnormal operation ofthe SST is identified, at least one of evaluating additional informationrelating to the operation of the SST, triggering capture of additionalinformation relating to the operation of the SST, transferringinformation about operation of the SST to a another device or system forfurther analysis, shutting down or blocking access to the SST, andentering a specified mode of operation.
 8. The method of claim 1,further comprising, when abnormal operation of the SST is identified,entering an interactive mode wherein a user may interact with a remoteuser to complete a transaction.
 9. The method of claim 1, furthercomprising, when abnormal operation of the SST is identified, changingthe behavior of other SSTs in a specific geographic region around theSST.
 10. A method of detecting abnormal activity relating toSelf-Service Terminal (SST) comprising: receiving data relating to atleast two operational parameters of the SST; evaluating the data toidentify an activity pattern; and declaring an alert when an identifiedactivity pattern deviates from an expected set of operational states.11. The method of claim 10, wherein evaluating the data to identify anactivity pattern comprises ascertaining whether an expected series ofevents occur before a specified event.
 12. The method of claim 11,wherein the specified event is the dispensing of an item and theexpected series of events comprise expected authorizing activity leadingup to the dispensing of an item.
 13. The method of claim 10, wherein theevaluating the data comprises evaluating at least two of changes instate, memory usage, and hardware configuration.
 14. The method of claim10, further comprising capturing data relating to the operationalparameters of the SST using the SST and transferring the data from theSST to a remote system, wherein the receiving data, evaluating the data,and declaring an alert occur on the remote system.
 15. A Self-ServiceTerminal (SST) comprising: a memory; a processor executing instructionsto monitor for abnormal activity on the SST, the processor operable toevaluate activity of at least two operational parameters of the SST incombination and execute a responsive action when abnormal activity isdetected.
 16. The self-service terminal of claim 15, wherein theprocessor is operable to initiate capture of additional information inresponse to detection of abnormal activity.
 17. The self-serviceterminal of claim 15, wherein the processor is operable to, prior todispensing cash, evaluate whether the activity of the at least twooperational parameters of the SST indicate abnormal activity, andrefrain from dispensing cash when abnormal activity is detected.
 18. TheSST of claim 15, further comprising a network connection, wherein theprocessor is further operable to initiate transfer of information to aremote system when abnormal activity is detected.
 19. The SST of claim18, wherein the processor is further operable to receive an instructionfrom a remote system to change the behavior of the SST, the change inbehavior comprising at least one evaluating additional informationrelating to the operation of the SST, triggering capture of additionalinformation relating to the operation of the SST, sending informationabout operation of the SST to a remote device or system for furtheranalysis, shutting down or blocking access to the SST, and entering aninteractive mode
 20. The SST of claim 15, wherein the SST is anAutomated Teller Machine (ATM).